DARPA Extreme DDOS Project Transforming Network Attack Mitigation

coondoggie quotes a report from Networkworld: Researchers with the Defense Advanced Research Projects Agency (DARPA) have quickly moved to alter the way the military, public and private enterprises protect their networks from high-and low-speed distributed denial-of-service attacks with a program called Extreme DDoS Defense (XD3). The agency has since September awarded seven XD3 multi-million contracts to Georgia Tech, George Mason University, Invincea Labs, Raytheon BBN, Vencore Labs (two contracts) and this week to the University of Pennsylvania to radically alter DDOS defenses. One more contract is expected under the program. [DARPA says the XD3 program looks to develop technologies that: Thwart DDos attacks by dispersing cyber assets (physically and/or logically) to complicate adversarial targeting, disguise the characteristics and behaviors of those assets to confuse or deceive the adversary, blunt the effects of attacks that succeed in penetrating other defensive measures by using adaptive mitigation techniques on endpoints such as mission-critical servers.]

central control = vulnerability to attack

[sittingnut]

if anything (eg a network ) require centralized control (to manage , to disseminate , to anything), it is vulnerable to attack .

"Thwart DDos attacks by dispersing cyber assets (physically and/or logically) to complicate adversarial targeting, disguise the characteristics and behaviors of those assets to confuse or deceive the adversary ..."

yes good, but that also means losing central control. in will 'complicate' attacks, but will also complicate managing and disseminating etc.

this is 101.

Re:central control = vulnerability to attack

Network nodes and many distributed assets don't require central control though. As long as you can provide an unsaturated path to a node or asset you've thwarted a volume based DDOS. Send encrypted control parameters or configuration information across all paths to a node, as long as it gets there it doesn't really matter what path it takes.

Don't get me wrong, I know it's a hard problem. Replication always is. It definitely will be more difficult to manage and susceptible to new kinds of attack but that doesn't mean it won't be an improvement on the current situation.

Run away!

[Hognoxious]

Thwart DDos attacks by dispersing cyber assets (physically and/or logically) to complicate adversarial targeting, disguise the characteristics and behaviors of those assets to confuse or deceive the adversary ...

So they're going to run away and hide?

Re:Run away!

It did seem a little vague.

So they're distributing single points of failure (physical location and routes to the node [multihoming presumably]), disabling ICMP (possibly messing with the results [confuse/deceive]) and turning off verbose output on Apache/nginx/node (disguise/hide node characteristics/behaviours)...

Cloudflare

[Z80a]

so it's kinda like cloudflare?

Is it really that hard?

[Squatting_Dog]

I admit that I know very little about networking, maybe someone more knowledgeable can tell me why - just blocking an ip that makes more than N connection attempts within Y amount of time won't stop a DDOS? Thanks in advance.....

Re: Is it really that hard?

[n0creativity]

Well as device or multiple devices need to make that distinction and act appropriately. Those devices (routers and firewalls) can become saturated with traffic and even the super expensive ones have limitations on how much traffic they can handle (deny OR allow). So when millions of botnet controlled nodes are sending massive amounts of traffic, it can overload the protective devices, not to mention saturating your Internet links. Some of these DDOS attacks are so huge that they have brought down the systems of the ISPs providing the internet links to the DDOS target.